Bug 274927 - [GTK] UI process crash in gtk_accessible_update_children
Summary: [GTK] UI process crash in gtk_accessible_update_children
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: Other
Hardware: PC Linux
: P2 Normal
Assignee: Michael Catanzaro
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-30 14:14 PDT by Michael Catanzaro
Modified: 2024-05-31 05:20 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2024-05-30 14:14:07 PDT 
Visit https://pwg.org/printers/ in Epiphany Tech Preview using WebKitGTK 2.45.3. Click on the "Make, model, etc." search entry, press Ctrl+W to close the page. The UI process will crash.

This is obscuring bug #272248, a web process crash that occurs when following the same steps.

(gdb) bt
#0  0x00007f0468aeb2bd in gtk_accessible_update_children
    (self=0x55857cade850, child=child@entry=0x55857d3cdad0, state=state@entry=GTK_ACCESSIBLE_CHILD_STATE_REMOVED) at ../gtk/gtkaccessible.c:1334
#1  0x00007f0468cc8176 in gtk_widget_unparent (widget=0x55857d3cdad0 [GtkPopover]) at ../gtk/gtkwidget.c:2560
#2  0x00007f046448c533 in WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:113
#3  WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:102
#4  0x00007f04643389fc in WTF::RefCounted<WebKit::WebDataListSuggestionsDropdown>::deref (this=0x55857cade858) at WTF/Headers/wtf/RefCounted.h:220
#5  WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown>::derefIfNotNull (ptr=0x55857cade850, ptr@entry=0x7f03ed1c4800)
    at WTF/Headers/wtf/Ref.h:62
#6  WTF::RefPtr<WebKit::WebDataListSuggestionsDropdown, WTF::RawPtrTraits<WebKit::WebDataListSuggestionsDropdown>, WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown> >::~RefPtr (this=0x7f03ed1c5180) at WTF/Headers/wtf/RefPtr.h:60
#7  WebKit::WebPageProxy::Internals::~Internals (this=0x7f03ed1c4800)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxyInternals.h:153
#8  0x00007f04642eed9e in std::default_delete<WebKit::WebPageProxy::Internals>::operator() (this=<optimized out>, __ptr=0x7f03ed1c4800)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:99
#9  std::unique_ptr<WebKit::WebPageProxy::Internals, std::default_delete<WebKit::WebPageProxy::Internals> >::~unique_ptr (this=0x7f04594eb4a8)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:404
#10 WTF::UniqueRef<WebKit::WebPageProxy::Internals>::~UniqueRef (this=0x7f04594eb4a8) at WTF/Headers/wtf/UniqueRef.h:57
#11 WebKit::WebPageProxy::~WebPageProxy (this=0x7f04594eb480) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:831
#12 0x00007f04642efb92 in WebKit::WebPageProxy::~WebPageProxy (this=0x55857cade850)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:790
#13 0x00007f04643408be in WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const::{lambda()#1}::operator()() const
    (this=<optimized out>) at WTF/Headers/wtf/ThreadSafeRefCounted.h:144
#14 WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref (this=0x55857cade858) at WTF/Headers/wtf/ThreadSafeRefCounted.h:156
#15 WTF::DefaultRefDerefTraits<WebKit::WebPageProxy>::derefIfNotNull (ptr=0x55857cade850) at WTF/Headers/wtf/Ref.h:62
#16 WTF::Ref<WebKit::WebPageProxy, WTF::RawPtrTraits<WebKit::WebPageProxy>, WTF::DefaultRefDerefTraits<WebKit::WebPageProxy> >::~Ref (this=0x7f0459572648)
    at WTF/Headers/wtf/Ref.h:82
#17 WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0::~$_0() (this=0x7f0459572648) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:3484
#18 IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}::~ThreadLikeAssertion() (this=0x7f0459572648) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.h:794
#19 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}, void, IPC::Decoder*>::~CallableWrapper() (this=0x7f0459572640) at WTF/Headers/wtf/Function.h:47
#20 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyCompletionHandler<Messages::WebPage::MouseEvent, WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0>(WebKit::WebPageProxy::sendMouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits> > const&, WebKit::NativeWebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)::$_0&&, WTF::ThreadLikeAssertion)::{lambda(IPC::Decoder*)#1}, void, IPC::Decoder*>::~CallableWrapper() (this=0x7f0459572640) at WTF/Headers/wtf/Function.h:47
#21 0x00007f046426bff1 in WTF::Function<void (IPC::Decoder*)>::operator()(IPC::Decoder*) const (in=0x7f0459019400, this=<optimized out>)
    at WTF/Headers/wtf/Function.h:82
#22 WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*) (this=0x7ffde25347a0, in=0x7f0459019400)
    at WTF/Headers/wtf/CompletionHandler.h:78
#23 IPC::Connection::dispatchMessage (this=0x7f0459049860, decoder=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1312
#24 0x00007f046426c175 in IPC::Connection::dispatchMessage (this=0x7f0459049860, message=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1378
#25 0x00007f046426c6b1 in IPC::Connection::dispatchIncomingMessages (this=0x7f0459049860)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/Platform/IPC/Connection.cpp:1488
#26 0x00007f04631a615b in WTF::Function<void ()>::operator()() const (this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/Function.h:82
#27 WTF::RunLoop::performWork (this=0x7f04590140e0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/RunLoop.cpp:147
#28 0x00007f046320be0d in WTF::RunLoop::RunLoop()::$_0::operator()(void*) const (userData=0x55857cade850, 
    userData@entry=0x7f04590140e0, this=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:80
#29 WTF::RunLoop::RunLoop()::$_0::__invoke(void*) (userData=0x55857cade850)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:79
#30 0x00007f046320af71 in WTF::RunLoop::$_0::operator()
    (source=0x55857b4ebfb0, callback=0x7f046320be00 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f04590140e0, this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#31 WTF::RunLoop::$_0::__invoke (source=0x55857b4ebfb0, callback=0x7f046320be00 <WTF::RunLoop::RunLoop()::$_0::__invoke(void*)>, userData=0x7f04590140e0)
--Type <RET> for more, q to quit, c to continue without paging--c
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#32 0x00007f046983d787 in g_main_dispatch (context=context@entry=0x55857b4a9950) at ../glib/gmain.c:3348
#33 0x00007f046983f927 in g_main_context_dispatch_unlocked (context=0x55857b4a9950) at ../glib/gmain.c:4197
#34 g_main_context_iterate_unlocked (context=context@entry=0x55857b4a9950, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at ../glib/gmain.c:4262
#35 0x00007f04698400d3 in g_main_context_iteration (context=context@entry=0x55857b4a9950, may_block=may_block@entry=1) at ../glib/gmain.c:4327
#36 0x00007f04696de40d in g_application_run (application=0x55857b4e57c0 [EphyShell], argc=<optimized out>, argv=<optimized out>)
    at ../gio/gapplication.c:2712
#37 0x0000558579a0713e in main (argc=<optimized out>, argv=<optimized out>) at ../src/ephy-main.c:461

More detail on the first few frames:

(gdb) bt full
#0  0x00007f0468aeb2bd in gtk_accessible_update_children
    (self=0x55857cade850, child=child@entry=0x55857d3cdad0, state=state@entry=GTK_ACCESSIBLE_CHILD_STATE_REMOVED) at ../gtk/gtkaccessible.c:1334
        __inst = 0x55857cade850
        __t = 0x55857b4e4a20 [GtkWidget/GInitiallyUnowned]
        __r = <optimized out>
        context = <optimized out>
#1  0x00007f0468cc8176 in gtk_widget_unparent (widget=0x55857d3cdad0 [GtkPopover]) at ../gtk/gtkwidget.c:2560
        priv = <optimized out>
        old_parent = <optimized out>
        old_prev_sibling = <optimized out>
        root = <optimized out>
        __func__ = "gtk_widget_unparent"
#2  0x00007f046448c533 in WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:113
        _pp = {in = 0x7f04595480e8 "", out = 0x7f04595480e8}
        _p = 0x55857cade850
        _pp = {in = <optimized out>, out = <optimized out>}
        _p = <optimized out>
        _destroy = <optimized out>
#3  WebKit::WebDataListSuggestionsDropdownGtk::~WebDataListSuggestionsDropdownGtk (this=0x7f04595480c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/gtk/WebDataListSuggestionsDropdownGtk.cpp:102
#4  0x00007f04643389fc in WTF::RefCounted<WebKit::WebDataListSuggestionsDropdown>::deref (this=0x55857cade858) at WTF/Headers/wtf/RefCounted.h:220
#5  WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown>::derefIfNotNull (ptr=0x55857cade850, ptr@entry=0x7f03ed1c4800)
    at WTF/Headers/wtf/Ref.h:62
#6  WTF::RefPtr<WebKit::WebDataListSuggestionsDropdown, WTF::RawPtrTraits<WebKit::WebDataListSuggestionsDropdown>, WTF::DefaultRefDerefTraits<WebKit::WebDataListSuggestionsDropdown> >::~RefPtr (this=0x7f03ed1c5180) at WTF/Headers/wtf/RefPtr.h:60
#7  WebKit::WebPageProxy::Internals::~Internals (this=0x7f03ed1c4800)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxyInternals.h:153
#8  0x00007f04642eed9e in std::default_delete<WebKit::WebPageProxy::Internals>::operator() (this=<optimized out>, __ptr=0x7f03ed1c4800)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:99
#9  std::unique_ptr<WebKit::WebPageProxy::Internals, std::default_delete<WebKit::WebPageProxy::Internals> >::~unique_ptr (this=0x7f04594eb4a8)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/13.2.0/../../../../include/c++/13.2.0/bits/unique_ptr.h:404
        __ptr = @0x7f04594eb4a8: 0x7f03ed1c4800
#10 WTF::UniqueRef<WebKit::WebPageProxy::Internals>::~UniqueRef (this=0x7f04594eb4a8) at WTF/Headers/wtf/UniqueRef.h:57
#11 WebKit::WebPageProxy::~WebPageProxy (this=0x7f04594eb480) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:831
        preferences = {static isRef = <optimized out>, m_ptr = <optimized out>}
#12 0x00007f04642efb92 in WebKit::WebPageProxy::~WebPageProxy (this=0x55857cade850)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebKit/UIProcess/WebPageProxy.cpp:790
Comment 1 Michael Catanzaro 2024-05-30 14:16:47 PDT 
There's a helpful warning before the crash:

(epiphany:2): Gtk-WARNING **: 16:16:17.698: Finalizing EphyWebView 0x55d4f7569670, but it still has children left:
   - GtkPopover 0x55d4f7615fd0

This should probably be a critical rather than a warning.
Comment 2 Michael Catanzaro 2024-05-30 16:30:47 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/29341
Comment 3 EWS 2024-05-31 05:20:03 PDT 
Committed 279571@main (34f75014ef73): <https://commits.webkit.org/279571@main>

Reviewed commits have been landed. Closing PR #29341 and removing active labels.